Archive

Continuing a series started this summer about how Google (original post here) and Yahoo users (original post here) could control their data, E-Crime Expert presents today how Facebook users could control their data by having their accounts deactivated, memorialized or deleted.
Facebook does not disable profiles if they are not being actively used as Yahoo does.

The only way a Facebook account closes is if the user chooses to disable it (deactivate or delete); or when a family members for example (i.e. of a deceased account holder) requests the memorializing or removing of an account; or as a result of a breach of Facebook terms and policies.

2) Chose the “Security” (step 1) tab on the left side menu (then “Security settings” will display on the right), go to the bottom of the “Security settings” menu where you’ll see the “Deactivate your account” button (Fig.2). Click on it (step 2).

Fig. 2

3) A new page will be displayed, chose one of the reasons you are disabling your account (Step 1), check the “Opt out” box if you do not want to further receive emails from Facebook (Step 2) and then click on “Confirm” (Step 3). Fig. 3.

When you deactivate your account, your timeline and all information associated with it disappears from Facebook immediately. People on Facebook will not be able to search for you or view any of your information.
If you’d like to come back to Facebook anytime after you’ve deactivated your account, you can reactivate your account by logging in with your email and password. Your timeline will be restored in its entirety (friends, photos, interests, etc.). You will need to have access to the login email address for your account in order to reactivate it.

2) Type in the search box (Step 1): “Delete my account” and then click on the “How do I permanently delete my account” (Step 2) link from the options displayed in the drop-down menu (Fig.6).

Fig. 6

3) A new menu will open where you need to click on the “Fill out this form” (The red box illustrate in Fig. 7)

Fig. 7

4) The last step requires you to click on “Delete My Account” button displayed (Fig.8).

Fig. 8

Permanently deleting your account means you will not ever be able to reactivate or retrieve any of the content or information you’ve added. Your account will be permanently deleted with no option for recovery.

3) Memorializing Accounts

When a person passes away, Facebook memorialize their account to protect their privacy. Here are some of the key features of memorialized accounts:
• No one can log into a memorialized account and no new friends can be accepted
• Depending on the privacy settings of the deceased person’s account, friends can share memories on the memorialized timeline
• Anyone can send private messages to the deceased person
• Content the deceased person shared (ex: photos, posts) remains on Facebook and is visible to the audience it was shared with
• Memorialized timelines don’t appear in People You May Know and other suggestions
If you need to report a timeline to be memorialized, please contact Facebook here.

And follow the 5 steps bellow (Fig. 9)

1. Link to the timeline of the person you submit the request for;
2. Insert the email address of the account you submit the request for;
3. Indicate your relationship status with that person;
4. Insert a link to a public/private commemoration of the deceased person (i.e. obituary or news). Please consider to NOT upload videos or pictures;
5. Click on memorialize account.

Fig. 9

4) Removing the account of a deceased person

Verified immediate family members may request the removal of a loved one’s account from Facebook by clicking here.

In order to complete this process, follow the 9 steps bellow (Fig. 10):
1. Introduce your full name;
2. Introduce the full name of the deceased person;
3. Introduce the email account (linked to their Facebook account) of the deceased person;
4. Introduce the web address of their timeline like this: https://www.facebook.com/john.doe

! Replace the john.doe example with the name of your deceased friend.

5. Indicate your relationship to that person;
6. Click on the “Please remove the account” field.
7. Indicate the year when that person passed away;
8. Make proof of your relationship with the deceased by uploading a death certificate or similar;
9. Last step: click “Send”

Fig. 10

Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
To find out more about Dan Manolescu, visit his LinkedIn page here.
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

E-Crime Expert starts today a series that enables users to manage their online data (electronic assets) if they become inactive (i.e accident, jail time, passed away, etc). Let’s say this is a WILL (testament) for electronic assests which is similar in scope to a WILL for material assests (i.e. house, boat, car, etc).

Google has a program called Inactive Account Manager, that allows those who use Google services decide exactly how they want to manage their online data stored with the company (i.e. Gmail, Picasa, YouTube, blogs, Wallet, etc).

What should happen to your photos, emails and documents when you stop using your account? Google puts you in control.

You might want your data to be shared with a trusted friend or family member, or, you might want your account to be deleted entirely. There are many situations that might prevent you from accessing or using your Google account. Whatever the reason, Google gives you the option of deciding what happens to your data.

Using Inactive Account Manager, you can decide if and when your account is treated as inactive, what happens with your data and who is notified.

Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

E-Crime Expert presents to you today a search engine which is totally different (in functionality and scope) than the ones we are used to (i.e Google, Bing etc).

For us (E-crime Expert), Shodan has a positive value as it uncovers security vulnerabilities. Used by others (i.e. cybercriminals), Shodan could have a negative side as enables access to different systems (routers, webcams, etc) which have little or no security protection.

According to the description available on their main page here, “SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners”.

Web search engines, such as Google and Bing, are great for finding websites. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content.

How to use it:

Create and login using a SHODAN account, or Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID).

Login is not required, but country and net filters are not available unless you login.

Basic Operations:

Filters
-country: filters results by two letter country code hostname;

-filtering by country can also be accomplished by clicking on the country map (available from the drop down menu);

-mouse over a country for the number of scanned hosts for a particular country.

After the search returns some entries (webcams located in a certain area), just click on one of those entries and you will have instant access to what that webcam records live (Fig 1).

Figure 1.

Examples:

Note:E-Crime Expert will try contact all the owners of these vulnerable systems in order to report their security issues and advise how to protect their devices with appropriate passwords and security measures.

Please watch the video or read our material on how to create a stronger password.

1. Run a search for all existing default passwords, as shown in Figure 2.
Having access to the password, one could enter the router’s settings and change them or even more, use the router as a back door to access any device connected to it such as a computer, printer, etc.

Figure 2.

2. Once we selected a webcam, click on it and wait for the live footage to play.
What we see is an intersection which could be considered as a public space. The live feeds record everything live (Fig. 3).

Figure 3.

3. The access is granted regardless the geographical location: E-Crime Expert had access to a webcam located in Russia from a computer located in North America (Figure 4).

Figure 4.

4. We next tested a webcam which was recording someone’s home front steps for security reasons perhaps. But the issue here is how that camera’s angle is recording as you can also see the next neighbor’s front alley, car and probably anyone entering their house (Fig. 5).

Figure 5.

5. Next example is more intrusive as transmits live feeds from a restaurant where clients could be identified along with the staff members. The purpose of this camera is theft protection but due to its non-existing security measures, now anyone on the Internet could check who came at that restaurant and at what time, transforming the purpose of that camera into a monitoring one (Fig. 6).

Figure 6.

6. Not surprisingly, the next webcam becomes even more intrusive by showing live the staff member working in a convenience store, with a “from behind the counter” view. Anytime the staff opens the money drawer, everyone having access to this webcam (available worldwide as shown in this blog post) could approximate how much money is available there. Beside the privacy invasive aspect of the clients and also of the staff member, potentially, could also lead to robberies or similar attacks (Fig. 7).

Figure 7.

7. Last examples is the most intrusive and concerning one as it transmits live video streaming from someone’s home. It is intrusive because most probably the guests visiting this person are not aware of the webcam, and also because the footage is now available not just to the security company in charge of protecting this home, but also to virtually anyone on the Internet. The second concerning aspect is that anyone could see what is available on the kitchen counter whether a large amount of cash or cheques or other valuable goods. This again, could lead to robberies or other violent crimes (Fig. 8).

Figure 8.

Conclusions:

SHODAN aggregates a significant amount of information that is not already widely available in an easy to understand format.

SHODAN collects basic information about the websites, the information “from the inside”, data covering the so-called back-end (simplified information about the type of your server software versions, and so on). On the one hand, it is therefore an excellent data base for those involved in security – but on the other, it is also a source of information for cybercriminals.

The Shodan software runs 24 hours a day. It automatically reaches out to the World Wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan.

From a privacy perspective, there on the World Wide Web could be some available information accessible to the regular people by simply running a search, which it is not necessarily to be regarded as publically available information, such as the webcam in someone’s home, in a store, gas station etc. This is not publically available information from a legal perspective but it actually becomes available to anyone as some monitoring systems have little or no security measures. According to most international privacy legislation, a surveillance camera should be installed and used just on a legal basis and after a privacy impact assessment is done (as a best practice). That legal basis strictly refers to the purpose of why that camera is used for which definitely does not grant worldwide access to the footage, except where in question is a public space (i.e. park, street, etc).

Even though in question is a public domain under surveillance, there are cases when footage or pictures of those public spaces record more than the public space itself (i.e. Google maps litigations for capturing more than the streets, etc).

The Privacy Impact Assessment is specifically done (among others) to make sure that no unauthorized person has access to the footage recorded by a surveillance camera. Being able to publically find this footage on the Internet, is outside the Privacy and Security requirements and measures in place for a surveillance camera located either within a public space (with the potential of recording private areas as well) and or in a household which is by definition a private space. Probably some of these surveillance cameras are installed by the household owners, aiming to act as a theft protection and consequently be accessible just by the police or other law enforcement entities.

Contrary, by having access globally to this kind of footage, does not align with most of the international existing privacy legislation.

Once again, E-Crime Expert has taken this opportunity (SHODAN – search as a positive tool) to asses current privacy and security issues.

Disclaimer:This Blog post does not intend to make any advertising, encourage nor discourage people investing in Bitcoin. It is purely descriptive and provides our readers with the basic information on Bitcoin.

I. Characteristics:

Bitcoin is a decentralized digital currency based on an open-source, peer-to-peer internet protocol. It was introduced by a pseudonymous developer named Satoshi Nakamoto in 2009.

– can be exchanged through a computer or smartphone locally or internationally without an intermediate financial institution.

– in trade, one bitcoin is subdivided into 100 million smaller units called satoshis, defined by eight decimal points.

– It is not managed like typical currencies: it has no central bank or central organization. Instead, it relies on an internet-based peer-to-peer network. The money supply is automated and given to servers or “bitcoin miners” that confirm bitcoin transactions as they add them to a decentralized and archived transaction log approximately every 10 minutes (Fig. 1).

Fig. 1

II. Transactional model:

Bitcoin is the most widely used alternative currency and accepted by various merchants and services internationally. As of March 2013, the monetary base of bitcoin is valued at over $1 billion USD.
Each 10-minute portion or “block” of the transaction log (as time spent) has an assigned money supply that is awarded to the miners once a “block” is confirmed.

10 minutes time spent=certain Bitcoin amount

The amount per block depends on how long the network has been running and how much in transaction fees has been paid. Currently, 25 new bitcoins are generated with every 10-minute block. This will be halved to 12.5 BTC during the year 2017 and halved continuously every 4 years after until a hard limit of 21 million bitcoins is reached during the year 2140.

In October of 2011, a bitcoin was trading at around $5. Today, by contrast, a single bitcoin is worth just north of $140-$150.

The network’s software confirms transactions when it records them in the transaction log or “blockchain” stored across the peer-to-peer network every 10-minutes. Confirmation of future transaction records makes the ones before it increasingly permanent. After six confirmed records or “blocks” (usually one hour-10 minutes x 6 block), a transaction is usually considered confirmed beyond reasonable doubt.

Initiators of a bitcoin transaction may voluntarily pay a transaction fee for the confirmation of these records. Any fees are collected by the operators of bitcoin servers — often called nodes or “bitcoin miners”.

However, transaction fees may not cover the cost of electrical power required to operate a bitcoin miner. As a result the network server operators often rely on “mined” bitcoins as their only significant revenue.

Basically, mining means that a X user gets Y amount of Bitcoins (in transactions fees) for facilitating the transaction while lending out his resources (Computer, usage electricity, etc). It could be done either individually or by joining a mining pool. There is software for doing this: Python OpenCL Bitcoin Miner (poclbm, graphical interface (GUI), etc (Fig. 2).

Fig. 2

III. Authentication/Security:

The transaction log is authenticated by end-users through hashed ECDSA digital signatures (similar to a username and password-you could read E-Crime Expert’s Blog Post here) and confirmed by intense calculations of varying difficulty, performed by dedicated servers called bitcoin miners.

Based on digital signatures, payments are made to bitcoin “addresses” or “public keys”: human-readable strings of numbers and letters around 33 characters in length, always beginning with the digit 1 or 3, as in the example of 175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W.

Users obtain new bitcoin addresses as necessary; these are stored in a wallet file with links to cryptographic passwords or “private keys” that enable access to and transfer of bitcoins. A file or “wallet” containing bitcoin addresses is usually encrypted with an additional password.

An online purchase is considered safer with bitcoin versus a credit or debit card, according to Denis G. Kelly, a leading identity theft and fraud prevention expert.

“When using payment cards, you are required to include your account number and your billing address,” Kelly said. “With this information, identity thieves are off and running. Whereas with Bitcoin, their encryption renders it so that only the owner of the bitcoins can use them.” (Fig. 3).

Fig.3

IV. Privacy:

Because Bitcoin transactions are broadcast to the entire network, they are inherently public. Using external information, it is possible, though usually difficult, to associate Bitcoin identities with real-life identities. Unlike regular banking, which preserves customer privacy by keeping transaction records private, loose transactional privacy is accomplished in Bitcoin by using many unique addresses for every wallet, while at the same time publishing all transactions.

E-Crime Expert explains in this blog post the steps to be taken when your email or Social Networking Site has been hacked or compromised.

When someone’s friends or close contacts start telling that they are receiving emails or messages that one never sent, or when appears online content that one never posted, it could mean that another person has gained illegitimate control over this individual’s email or Social Networking Site.

If this happened, in order to limit the damage and the possibility of spreading malwares/viruses to others, firstlythe passwords to all accounts that have been compromised and to other important accounts should be changed*, and also notifications to all contacts regarding that they may receive spam messages that appear to come from the compromised account, should be sent.

It could also happen that one cannot access his/her account anymore because a password has been changed.

If this happen, bellow are provided the contact details for the most popular email and Social Networking sites providers:

This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

Considering the legal requirements of the Directive 95/46/EC, Article 25… the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

The Article provides Organizations or entities with all current available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.